WebAuthn: What It Means for the #NoPasswords Revolution and What is Still to be Considered?

by Ori Eisen

April 12, 2018

Reading the news this week, you probably caught the release of WebAuthn from FIDO and W3C. (If not, check out stories from ArsTechnica, The Verge and The Register for more.) The short version is that WebAuthn is a new web API for browsers and web platforms that offers new security authentication methods online and across devices. This announcement signals that FIDO is embarking on making the internet more secure for consumers by reducing the need for passwords, and as a FIDO member, we applaud this momentous milestone.

FIDO and WC3, along with Mozilla, Microsoft, and Google (read: not Apple) are taking their first steps to join the #NoPasswords revolution. To have a strong alliance of companies within the FIDO ecosystem, alongside three technology leaders making a statement (and taking action on internet security) is a great thing for everyone. As Constellation Research’s Steve Wilson told TechCrunch, “It will accelerate the adoption of modern non-password authentication.”

This first step toward a #NoPasswords world has people in our community discussing what it is, what it isn’t and what it means for the future of authentication. Here are some questions that we at Trusona (and our customers) are asking:

WebAuthn works for the web, but what about other digital channel experiences?

If you look at brands today, whether financial, retail, or healthcare, there are a slew of different channels within which they engage their customers, i.e. web, mobile, in-store, kiosks, ATM, call-center etc. The browser plug-in approach as FIDO and W3C laid out makes it tremendously convenient for web browsers (hence the name, WebAuthn) like Google Chrome and Mozilla Firefox; however, it does not solve authentication security or pain points for the other channels. In today’s omnichannel world, where consumers interact with brands through a variety of touchpoints (sometimes simultaneously) and UX reigns supreme, it is critical to build consistent authentication experiences across all channels.

Where’s Safari in all of this?

FIDO and W3C are working with four of the top five (according to StatCounter) web browsers - Chrome (58.4%) and Firefox (13.45%), as well as Internet Explorer (8.92%) and Edge (3.1%) – but where is number-three Safari (10.54%)? Apple is conspicuously absent and is often known to build their own proprietary technology and solutions to keep their "crown jewels" within the company's walls. Also note, Apple is also not a FIDO member,so their non-participation is not totally surprising, at least right now.

WebAuthn gets rid of passwords, but what about usernames?

As long as users need to remember, and are required to type, static credentials, such as a username, the job is not done. That is why we’ve developed authentication which does not require any recall or typing of any static credentials. We’re solely focused on building solutions that improve security and CX to ultimately create a world of 100% dynamic authentication.

Will people actually use it?

Only time will tell. Change is hard. Even when consumers are presented with better options on a silver platter – in this case, via a web plug-in to encourage easier, more secure web access – there’s the big question surrounding actually achieving mainstream adoption. We’ve seen surveys and headlines galore on password rage, insecure passwords and the like, but historically we’ve seen a lack of motivation on the consumers’ behalf to take advantage of new tools, unless they are intuitive and transparent to their current behavior patterns. Year after year, the most common passwords remain “123456” and simply “Password” even when consumers are strongly dissuaded from using common passwords.

What does a consumer need to use WebAuthn?

The new protocol relies on using a PC or laptop that has biometrics available – or requires the user to have (or purchase) a hardware token. Any additional requirements, or cost for the consumer may hinder the widespread adoption of this new solution. This is exactly why we’ve focused on building a strong, yet easily accessible, authentication solution in which people use their mobile phone and our technology is embedded into app of the organization they already have and trust.

Biometrics are great, but what happens if malware steals your biometric data?

Solutions that rely only on biometric data need to look beyond a probabilistic match (i.e. what’s the likelihood it is that person, or a “fuzzy match”) which may be a replay of someone’s biometric data and have measures in place to detect an “exact” match. Studies have show that biometric data once converted to a digital stream of bits and bytes is really no better than a password and has the same risk of being stolen. We urge all technology providers to consider this vulnerability and take precaution with anti-replay measures.

We’re thrilled to see FIDO, W3C, and the industry leaders continue to innovate and join the #NoPasswords revolution. It’s no secret that passwords (and password-based alternatives) will go the way of the dinosaurs. It’s just a matter of when and how. The more parties that invest, develop and challenge this status quo, the closer that day gets.

What questions are you asking? We’d be happy to offer our perspective. Get in touch at info@trusona.com.